I agree with at least 90% of it. The part that I'm concerned with is
regarding comments that could negatively impact patch-management. At
the risk of making any Buddhist endeavour of slaying the ego more
difficult for you - you should understand that you have become a voice
that carries weight in the infosec community. While I can agree that
if your entire InfoSec Program is focussed on "security through
patchity", you are destined to lose at some point; I find it difficult
to reconcile the realities of the necessity to patch systems with the
following statement from your article:
... "Furthermore it's also perpetuating security through
patchity, a process that's so labor intensive to assure homeostasis
that nobody could maintain it indefinitely which is the exact
definition of a loser in the cat and mouse game."
I have followed ISECOM since early Idea Hamster days - and I continue
to approve of the out-of-the-box thinking that is promoted by you and
everyone involved. I don't think you are saying that patches are
unimportant - but the quote above might lead someone to think that
they might as well not try - because they are a dead mouse anyway.
If what you are saying is that we need more being done to secure
information, then I agree with you (and as an InfoSec Professional I
do more). But, if you are implying that patching and vulnerability
assessment is not required - I think you might be a part of the
'crazy' you have written about here.
Are we in agreement that patching, and vulnerability assessment should
be a part of the whole machine - but not the machine itself?
-metajunkie
On Mon, Jun 20, 2011 at 3:42 PM, Pete Herzog <lists (at) isecom (dot) org [email concealed]> wrote:
> The current security model is crazy. And the current crazy testing methods
> actually make it look like it's not. I think that's why so many people fail
> to see how broken the current consumer-ready security model is. Look at the
> current attacks and how security companies, even HUGE ones with their
> security measures and countermeasures built on this model are letting the
> people hang.
>
> This is how to pen test that scenario. This is how to pen test crazy.
>
> The whole article is available at:
>
> https://www.infosecisland.com/blogview/14651-How-to-Pen-Test-Crazy.html
>
> Sincerely,
> -pete.
>
> --
> Pete Herzog - Managing Director - pete (at) isecom (dot) org [email concealed]
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.badpeopleproject.org
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
I liked your article.
I agree with at least 90% of it. The part that I'm concerned with is
regarding comments that could negatively impact patch-management. At
the risk of making any Buddhist endeavour of slaying the ego more
difficult for you - you should understand that you have become a voice
that carries weight in the infosec community. While I can agree that
if your entire InfoSec Program is focussed on "security through
patchity", you are destined to lose at some point; I find it difficult
to reconcile the realities of the necessity to patch systems with the
following statement from your article:
... "Furthermore it's also perpetuating security through
patchity, a process that's so labor intensive to assure homeostasis
that nobody could maintain it indefinitely which is the exact
definition of a loser in the cat and mouse game."
I have followed ISECOM since early Idea Hamster days - and I continue
to approve of the out-of-the-box thinking that is promoted by you and
everyone involved. I don't think you are saying that patches are
unimportant - but the quote above might lead someone to think that
they might as well not try - because they are a dead mouse anyway.
If what you are saying is that we need more being done to secure
information, then I agree with you (and as an InfoSec Professional I
do more). But, if you are implying that patching and vulnerability
assessment is not required - I think you might be a part of the
'crazy' you have written about here.
Are we in agreement that patching, and vulnerability assessment should
be a part of the whole machine - but not the machine itself?
-metajunkie
On Mon, Jun 20, 2011 at 3:42 PM, Pete Herzog <lists (at) isecom (dot) org [email concealed]> wrote:
> The current security model is crazy. And the current crazy testing methods
> actually make it look like it's not. I think that's why so many people fail
> to see how broken the current consumer-ready security model is. Look at the
> current attacks and how security companies, even HUGE ones with their
> security measures and countermeasures built on this model are letting the
> people hang.
>
> This is how to pen test that scenario. This is how to pen test crazy.
>
> The whole article is available at:
>
> https://www.infosecisland.com/blogview/14651-How-to-Pen-Test-Crazy.html
>
> Sincerely,
> -pete.
>
> --
> Pete Herzog - Managing Director - pete (at) isecom (dot) org [email concealed]
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.badpeopleproject.org
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]